From 444565d0fc9ff4651bb276437dcabc479a5e160c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 20 Jan 2026 03:27:57 +0000
Subject: [PATCH 1/3] Initial plan


From 0c4065b361ede912d0ed9452a3cca2392ca95abe Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 20 Jan 2026 03:33:27 +0000
Subject: [PATCH 2/3] Initial investigation: Copilot CLI API error in Code
 Scanning Fixer

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
---
 .github/workflows/go-fan.lock.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml
index b6bc7a4f49c..4e2d891b4a8 100644
--- a/.github/workflows/go-fan.lock.yml
+++ b/.github/workflows/go-fan.lock.yml
@@ -29,6 +29,7 @@ name: "Go Fan"
 "on":
   schedule:
   - cron: "0 7 * * 1-5"
+    # Friendly format: daily (scattered)
   workflow_dispatch:
 
 permissions: {}

From 3cb3c7a4646ed455545e1d6990218559064ce6f7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 20 Jan 2026 03:38:49 +0000
Subject: [PATCH 3/3] Add noop tool requirement for graceful completion in Code
 Scanning Fixer

When no high severity alerts are found, the agent correctly reports success
but may encounter transient Copilot API errors like "missing finish_reason".
Now explicitly require using the noop tool to signal successful completion,
which prevents these transient errors from being reported as workflow failures.

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
---
 .github/workflows/code-scanning-fixer.lock.yml | 16 +++++++++++++---
 .github/workflows/code-scanning-fixer.md       | 16 +++++++++++++---
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml
index 60e4801b980..d3996085a29 100644
--- a/.github/workflows/code-scanning-fixer.lock.yml
+++ b/.github/workflows/code-scanning-fixer.lock.yml
@@ -571,6 +571,11 @@ jobs:
           - Exit gracefully with a clear status message
           - The workflow will retry automatically on the next scheduled run
           
+          **Graceful Completion**: When your work is complete (especially when no action is needed):
+          - **ALWAYS** use the `noop` tool to signal successful completion
+          - This prevents transient API errors from being reported as workflow failures
+          - Example: `noop(message="No unfixed high severity alerts found. All security issues are resolved.")`
+          
           **Tool Usage**: When using GitHub MCP tools:
           - Always specify explicit parameter values: `owner="githubnext"` and `repo="gh-aw"`
           - Do NOT attempt to reference GitHub context variables or placeholders
@@ -615,7 +620,10 @@ jobs:
           From the list of high severity alerts:
           - Exclude any alert numbers that are in the cache (already fixed)
           - Select the first alert from the filtered list
-          - If no unfixed high severity alerts remain, exit gracefully with message: "No unfixed high severity alerts found. All high severity issues have been addressed!"
+          - If no unfixed high severity alerts remain:
+            - **MUST** call `noop(message="No unfixed high severity alerts found. All high severity issues have been addressed!")`
+            - This signals successful completion and prevents transient API errors from being reported as failures
+            - Exit gracefully
           
           ### 4. Get Alert Details
           
@@ -730,11 +738,13 @@ jobs:
           ## Error Handling
           
           If any step fails:
-          - **No High Severity Alerts**: Log "No high severity alerts found" and exit gracefully
-          - **All Alerts Already Fixed**: Log success message and exit gracefully
+          - **No High Severity Alerts**: Call `noop(message="No high severity alerts found")` and exit gracefully
+          - **All Alerts Already Fixed**: Call `noop(message="All high severity alerts have been addressed")` and exit gracefully
           - **Read Error**: Report the error and exit
           - **Fix Generation Failed**: Document why the fix couldn't be automated and exit
           
+          **Important**: Always use the `noop` tool to signal successful completion when no action is needed. This prevents transient API errors from being incorrectly reported as workflow failures.
+          
           ## Important Notes
           
           - **Every 30 Minutes**: This workflow runs every 30 minutes to quickly address security alerts
diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md
index dc2d2b3d66f..8418fe04e53 100644
--- a/.github/workflows/code-scanning-fixer.md
+++ b/.github/workflows/code-scanning-fixer.md
@@ -36,6 +36,11 @@ You are a security-focused code analysis agent that automatically fixes high sev
 - Exit gracefully with a clear status message
 - The workflow will retry automatically on the next scheduled run
 
+**Graceful Completion**: When your work is complete (especially when no action is needed):
+- **ALWAYS** use the `noop` tool to signal successful completion
+- This prevents transient API errors from being reported as workflow failures
+- Example: `noop(message="No unfixed high severity alerts found. All security issues are resolved.")`
+
 **Tool Usage**: When using GitHub MCP tools:
 - Always specify explicit parameter values: `owner="githubnext"` and `repo="gh-aw"`
 - Do NOT attempt to reference GitHub context variables or placeholders
@@ -80,7 +85,10 @@ Use the GitHub MCP server to list all open code scanning alerts with high severi
 From the list of high severity alerts:
 - Exclude any alert numbers that are in the cache (already fixed)
 - Select the first alert from the filtered list
-- If no unfixed high severity alerts remain, exit gracefully with message: "No unfixed high severity alerts found. All high severity issues have been addressed!"
+- If no unfixed high severity alerts remain:
+  - **MUST** call `noop(message="No unfixed high severity alerts found. All high severity issues have been addressed!")`
+  - This signals successful completion and prevents transient API errors from being reported as failures
+  - Exit gracefully
 
 ### 4. Get Alert Details
 
@@ -195,11 +203,13 @@ Each line is a separate JSON object representing one fixed alert.
 ## Error Handling
 
 If any step fails:
-- **No High Severity Alerts**: Log "No high severity alerts found" and exit gracefully
-- **All Alerts Already Fixed**: Log success message and exit gracefully
+- **No High Severity Alerts**: Call `noop(message="No high severity alerts found")` and exit gracefully
+- **All Alerts Already Fixed**: Call `noop(message="All high severity alerts have been addressed")` and exit gracefully
 - **Read Error**: Report the error and exit
 - **Fix Generation Failed**: Document why the fix couldn't be automated and exit
 
+**Important**: Always use the `noop` tool to signal successful completion when no action is needed. This prevents transient API errors from being incorrectly reported as workflow failures.
+
 ## Important Notes
 
 - **Every 30 Minutes**: This workflow runs every 30 minutes to quickly address security alerts